How the Coming Privacy Layer Will Fix the Broken Web

Howard Wu

Our private lives have become a public commodity. Today, the business model of the web is to provide free services in exchange for personal data. Web services then sell this data. The user is not given a choice and is instead forced to give up their data in exchange for the services they want, and often in exchange for nothing, at the cost of personal privacy. As web services evolve to become more personalized, this business model puts web services at odds with their users.

The natural response is to turn to regulation to address the issue. In recent years, new regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been enacted, mandating web services give users the option to not be tracked and to have their data be deleted. These mandates, however, have introduced perverse incentives for web services. Users are presented with banners requesting consent that are at best confusing and at worst misleading. Every web service uses its own standard; some forms default to opt-in tracking, others default to opt-out. Over time, users give up on these banners and select the default option, giving web services their data.

At a more fundamental level, incentives — of users and web services — must be aligned for change to be real, effective, and lasting. Fortunately, we’re about to see a change in how the web works. New technologies, based on cryptography, are enabling a class of web services that are more incentive-aligned with users. Way beyond a matter of data ownership, though, these technologies unlock new functionalities that can make the web more fair and more user-focused.

Blockchains + serverless computing = user control

In the last decade, consumer devices have increased significantly in performance and it has become possible to run applications with rich user experiences directly on-device. Coupled with the growing globalization of web services, demand for faster loading and processing times has made serverless computing a new standard for applications. This transition has shifted business logic from servers to clients.

This deceptively subtle change is a big deal. At the heart of the serverless revolution are blockchains, which are public, immutable ledgers that enforce the scarcity, and proper ownership, of data and logic. At the core, blockchains enable users to directly interact with one another, without the need for centralized servers or third parties to broker and facilitate any services.

Blockchains give users ownership and control. The introduction of blockchains has enabled assets and public resources — such as financial assets, domain namespaces, and even works of art — to be owned and managed by users themselves.

Traditional server architectures are prone to crash, and managed by third parties who typically retain custody over user assets and data. For the first time, services running on blockchains can achieve 100% uptime and availability, enabling a user experience that is consistent, seamless, and borderless. Users take control of their assets through direct ownership of their accounts on the blockchain, without intermediation by third parties.

While there are many benefits of blockchains for users, they come with three major drawbacks:

  • Major scaling challenges. These open networks require all participants to store and validate the state of their ledger, which limits the ability for the network itself to process a large number of transactions. Current architectures are prone to network congestion, high transaction fees, and low transaction throughput.
  • Limited-execution environments. As all participants are currently forced to re-execute all transactions in order to verify the state of their ledger, every service on a blockchain is effectively time-sharing a single, global compute resource. This means most web applications today are unable to execute on existing blockchain architectures.
  • Loss of privacy. Services on blockchains today are pseudonymous, meaning they expose the state of accounts to all participants in the network. And so, while users can take back control of their assets, it could come at the cost of risking personal privacy if associations between that activity and other metadata reveal more than people know.

For any widely used application to use this technology at scale, these three challenges must be addressed. Cryptography — techniques for secure communication and private information exchange — provides a way for blockchains to power practical applications.

Zero-knowledge proofs

In recent years, a new technology called zero-knowledge proofs has become practical for real-world use. At its core, a zero-knowledge proof is a protocol that allows one party (the prover) to convince another party (the verifier) that they possess some private data without revealing that data to anyone.

This technology, which has existed for decades and only recently became practical through modern computing, has profound implications. Unlike most web technologies today, zero-knowledge proofs enable users to run business logic on their personal data and prove to others the correctness of the computed result (again, without revealing their personal data) — but they also enable users to know with certainty how their personal data is being used while retaining full control of it. These properties are critical for solving many of the data and privacy problems the above regulations have attempted to address, with less of a blunt tool.

When used to power services running on blockchains, zero-knowledge proofs enable applications to scale arbitrarily because participants in the network no longer need to re-execute every transaction in their ledger. Rather, participants merely need to check a succinct proof that is both constant-time and constant-size. This not only means applications executed using zero-knowledge proofs are faster to process, but it also means applications can be of arbitrary size without compromising blockchain throughput. These features enable scaling applications that were previously thought to be impractical in peer-to-peer web architectures.

New web standards built with zero-knowledge proofs and blockchains will therefore offer users choice by introducing a new privacy layer for the web. What if our private lives could no longer become a public commodity, and the web were private-by-default? Let’s take a look at the possibilities.

Making web services more secure

Consider web authentication standards today. When a new user creates an account, they enter their password and send it to the server. The server receives the user’s password and proceeds to “hash” the password, storing this hash in a database and creating a fingerprint to check against the next time the user logs in.

But this standard is broken. For one, even practiced web services mishandle passwords and leave users’ information vulnerable. Second, some web services follow bad practices by enforcing weak password requirements, failing to hash users’ passwords, or simply choosing a weak hashing algorithm. This means that if a web service suffers a data breach, their users’ passwords are more susceptible to dictionary attacks (whereby commonly-used passwords are easily breached) or immediately compromised.

With zero-knowledge proofs, however, users can now hash their password on-device, that is, without ever having to send their password to any web service. Imagine never having your password compromised again because of others’ errors, bad actors, or reasons beyond your control.

No web service can do this today because there is no way to verify that a user correctly hashed their password on the client-side. Given the shift from server to client mentioned before, this is behind where we practically are today. But by introducing a new technology that allows services to verify the correctness of all computations on the user’s device, without having to go through another’s server, web services will know with certainty that their password was hashed using the right algorithm.

Increasing compliance, and fairness

One of the most talked about applications of blockchains is the concept of programmable money and decentralized finance (DeFi) — including decentralized exchanges, where users can trade value directly with one another through open, public networks. Instead of restricting financial services to traditional banks and brokerages only, blockchains pave the way for a financial revolution that can bring more people into the system.

The challenge is that while users can now achieve direct ownership of their assets, their financial transactions in this new model are also visible to anyone. This means their trades could be subject to frontrunning and arbitrage by anyone observing the exchange. Not only is this problematic for users, it also violates exchange regulations and banking privacy laws. With zero-knowledge proofs, however, exchanges can facilitate users’ trades privately, receiving a zero-knowledge proof attesting to the validity and legitimacy of each completed trade. This means only the users who are performing an exchange can see the contents of the trade; not even the exchange has knowledge of the trade details.

So wouldn’t this create another set of problems that then hides this information from important know-your-customer and anti-money laundering compliance laws (KYC/AML)? That’s the beauty of zero-knowledge proofs: At the time of use, they produce an audit trail that allows users (and regulators) to verify the honesty and correctness of each trade that takes place on an exchange.

The near future of the web

The web has evolved in many ways — we went from HTTP to HTTPS, which led to an explosion of ecommerce, trust, and exchange on the web. But we’re still at the beginning.

The next phase, this next decade, will be about the ability to interact with anyone, anywhere, at any time — privately, without revealing one’s data, and with more control in the user’s hands. For this to happen, however, zero-knowledge proofs and blockchains will need to achieve standardization among web ecosystems and web developers. Zero-knowledge proofs will need to continue improving performance in order to support large-scale applications. And blockchains will need to use zero-knowledge proofs in order to scale and achieve real-world adoption. This means web services will need time to integrate with these technologies, and users will need to become informed on the guarantees and implications of these new standards.

And while regulators will be equipped with new tools to protect users on the web, they will need to embrace the opportunities these technologies provide for security, privacy, compliance, and fairness. For example, enforcing compliance at the time-of-use instead of after-the-fact log inspections introduces a new level of auditability and traceability for web services. Regulators will need to develop new frameworks based on these technologies for private money and private applications.

But what these technologies can bring us will be truly transformative. Zero-knowledge proofs will redefine the privacy guarantees that web services offer, and invert the model for how users manage their personal data. Blockchains will enable users to truly control their financial assets and personal data, without requiring third parties to retain control in ways that don’t always benefit users. As increasingly more people come to rely on the web for their daily lives, this paradigm will fundamentally shift how users all around the world interact with one another … and in ways we have yet to fully understand. Just as smart devices grew to be integral in our daily lives, a privacy layer for the web will be the foundation for how we interact and share, and it will change everything.